Solved: What's wrong with this firewall config? (Basic setup)

ValleyITPC · ‎10-26-2012

I've got a single router (IOS 15.0), 1 inside interface (vlan1) and one outside int, gig0. Using Zone-based firewall.

Router has NAT, using a static entry as follows:

ip nat inside source static tcp 192.168.5.150 3389 <my external ip> 35411 extendable

With the ZFW off, this port translation works and I am able to RDP to the internal system from an external source.

With ZFW enabled, it fails. Logging shows that the packets are being dropped by the outside-inside policy map, by the class: class default map. MI am new to ZFW but my interpretation is that this simply means that the packet did not meet any of the other class map criteria for that policy map thus it defaulted to the drop action which is the default class map termintating any policy map.

The question is why didn't it meet the criteria. Here is the policy and class maps that govern the outside-inside zone pair:

Class Map type inspect match-any outside-inside

Match access-group 166

Match class-map inbound-protocols

For reference, class map "inbound-protocols" is below:

Class Map type inspect match-any inbound-protocols

Match protocol smtp

Match protocol http

Match protocol https

And the contents of access list 166 is:

10 permit tcp any any eq 35411

The policy map applied to the zone pair is:

Router#sh policy-map type inspect
Policy Map type inspect outside-inside
    Class outside-inside
      Inspect
    Class class-default
      Drop

On the outside-inside class map, I had also tried match-all instead of match-any, same result in the logging (sh run | i FW).

Also the external host CAN reach the internal web server (80, 443) using similar static NAT entries and through the firewall except since those are using standard ports, no PAT is taking place. this RDP thing is the only entry mapping port 35411 to 3389.

Not sure if there is some other type of logging I should look at, or what. I am new to many aspects of this stuff including logging so please feel free to dummy-talk with me as it's very possible I may be missing something simple.

Thank you!

Julio Carvajal · ‎10-26-2012

Hello Valley,

Nat goes first than ZBFW.

Do the following:

IP access-list extended 166

permit tcp any host 192.168.5.150 eq 3389

Remember to rate all of the helpful post,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎10-26-2012

Hello Valley,

Nat goes first than ZBFW.

Do the following:

IP access-list extended 166

permit tcp any host 192.168.5.150 eq 3389

Remember to rate all of the helpful post,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ValleyITPC · ‎10-26-2012

Wow I didn't know that (NAT before ZFW). That is very good to know.

Well,. it turns out I solved my problem a different way, although i will test yours too so I can get the hands on experience.

I ended up making my own protocol by using ip port-map user-RDP tcp port 3389 and making a new class map for it.

I did it based on another thread of yours, but had no idea of the effect because at the time I thought ZFW was first before NAT so I did not understand how creating a protocol inspection for 3389 woudl affect thte firewall.

Anywya, it worked so to keep the config clean I'll add it to my other class map list of allowed protocols rather than have a seperate ACL or a seperate class map. I am still pre-CCNA so am learning new things so will be trying out your ACL solution too.

By the way I still need you to call me, but for Self zone and VPN talk.

Thanks for your help!

Julio Carvajal · ‎10-26-2012

Hello,

Sure, I will

Glad I could help.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC